AmberWolf Reveals New Attack Method with NachoVPN
Researchers at AmberWolf, a provider of offensive cyber solutions, have unveiled a novel attack technique that exploits vulnerabilities in widely used corporate VPN clients. To demonstrate this method, they developed an open-source tool called NachoVPN, which targets VPN Vulnerabilities ients from major vendors such as Palo Alto Networks, SonicWall, Cisco, and Ivanti.
NachoVPN, compatible with both Windows and macOS, simulates a rogue VPN server that exploits trust relationships between VPN clients and servers. It employs a plugin-based architecture, allowing developers to extend its support to other VPN products. The tool highlights how security flaws—both recently patched and older ones—can be leveraged to compromise systems. AmberWolf emphasized the tool’s ability to illustrate potential risks while encouraging users to patch known vulnerabilities.
Specific Threats to Palo Alto Networks GlobalProtect
One critical demonstration involved Palo Alto Networks’ GlobalProtect VPN client. Researchers identified a flaw in the automatic update mechanism, enabling attackers to install a malicious root certificate. This could lead to remote code execution and privilege escalation. Palo Alto Networks has assigned this vulnerability the identifier CVE-2024-5921, labeling it a medium-severity issue stemming from insufficient certificate validation.
AmberWolf explained that an attacker would need to trick a user into connecting to a rogue VPN Vulnerabilities server through social engineering tactics. Exploiting the flaw requires local non-admin access to the operating system or proximity on the same network subnet as the victim. While no malicious exploitation of this vulnerability has been reported, the release of NachoVPN as a proof-of-concept raises concerns about potential misuse.
Palo Alto Networks issued a security advisory and rolled out fixes for the issue on November 26. The VPN Vulnerabilities has been resolved in GlobalProtect version 6.2.6 for Windows, with mitigations available for other platforms. The company has urged users to apply the patches promptly to safeguard their systems.
SonicWall VPN Vulnerabilities Deemed High Severity
AmberWolf’s research also revealed a significant vulnerability in SonicWall’s SMA100 NetExtender VPN client for Windows, tracked as CVE-2024-29014. This flaw, rated as high severity, allows attackers to execute remote code with System-level privileges. Exploitation involves tricking users into visiting a malicious website and accepting a browser prompt.
SonicWall addressed the vulnerability with patches released in mid-July, clarifying that the issue does not affect its firewalls running SonicOS or the NetExtender Linux client. The company strongly advised users to update their systems, as the flaw poses a considerable risk if left unpatched.
AmberWolf’s findings underscore the critical need for organizations to maintain updated systems and address vulnerabilities proactively. By releasing NachoVPN, the researchers aim to highlight the importance of closing security gaps before they can be exploited by malicious actors.
